Systematic attacks on multiple services & ports (getting past NAT) on hobby server

dynamic-dnsnginxportsSecurityssh

  • Fresh install of Fedora 25 Server
  • Server behind a router with only a few NAT-rules
  • Many SSH login attempts from hundreds of different IPs / ports (ever-changing)
  • Recently attacks / exploits on nginx (running in a docker instance) shows up in the log, too.

A few examples from the log:

error: maximum authentication attempts exceeded for invalid user root from 88.14.203.97 port 56548 ssh2 [preauth]

error: Received disconnect from 52.221.236.126 port 62639:3: com.jcraft.jsch.JSchException: Auth fail [preauth]

[error] 6#6: *138 open() "/usr/share/nginx/html/nice ports,/Trinity.txt.bak" failed (2: No such file or directory), client: 77.77.211.78, server: localhost, request: "GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0"

I went through the basic hardening measures at install, including only allowing SSH login with a certificate (no passwords, no root).

Questions

  • How can the attackers reach different ports on my LAN, not configured in NAT? UPnP…?
  • Is it possible to block / stop these blind attacks?

Additional and possibly relevant information

I use the Dynamic DNS service freedns.afraid.org with a newly registered domain name.

Best Answer

How can the attackers reach different ports on my LAN, not configured in NAT? UPnP …?

That is possible only if your server was compromised or external connections come over opened by UPnP ports. When you create forwarding rules, you may specify what port or range of ports will be forwarded to particular IP resided on the LAN side. You can also change (substitute) external port(s) to local ones with different values (external port 3456 forward to local port 22, for example) or set one-to-one forwarding (external 22 to internal 22). So the short answer – only the ports you opened on the firewall will be forwarded to particular IP on LAN.

If you set your server in DMZ zone that it means your server is fully exposed to the Internet with all ports; this way all ports are available for external connections.

Check also this list of vulnerable routers; if router itself was hacked, then it isn't your network anymore.

Is it possible to block / stop these blind attacks?

Take a look to the similar question and followed answer how to secure and reduce such scanning attempts.

Related Question